urevised Posted April 9, 2008 Share Posted April 9, 2008 Hi There, Just got a newsletter from Protx informing me of changes. It looks like all VPS Direct merchants will need to undergo a PCI Compliance Audit. The majority of this audit involves WHMCS. Just wanted to know if you guys at WHMCS have already taken this into consideration? Thanks 0 Quote Link to comment Share on other sites More sharing options...
urevised Posted April 16, 2008 Author Share Posted April 16, 2008 Anyone got a clue about this? I think it is going to be very important! Duplicating http://forum.whmcs.com/showthread.php?t=10618 0 Quote Link to comment Share on other sites More sharing options...
BionicInternet Posted April 17, 2008 Share Posted April 17, 2008 PCI Compliance isnt just to do with the billing system. Some basics you need to have ssl cert for billing system login and order IDS - Intrusion Detection System Firewall Dedicated if possible. WHMCS Database on a seperate server - protected by IPTables or a good firewall Regular Security Audits One2One staff training & Updates 0 Quote Link to comment Share on other sites More sharing options...
SilverNodashi Posted April 23, 2008 Share Posted April 23, 2008 Isnt' this different from country to country? I also got a notice about this recently from our bank, and we're told that our billing system, and client DB needs to be on our own dedicated server, in a locked cage. So, this is a problem for VPS type clients. Does anyone know anything about this? Is our banks too paranoid? 0 Quote Link to comment Share on other sites More sharing options...
penguin Posted April 23, 2008 Share Posted April 23, 2008 PCI Compliance isn't that hard to achieve to be honest - we had the same notification from Protx and had compliance in under a week. This obviously does depend on your own sitiation, however our servers were already pretty well up to stratch against the vulnerability testing. You will have issues though if you're using shared hosting where you cannot make the server changes to comply with their requirements. 0 Quote Link to comment Share on other sites More sharing options...
aushosts Posted April 24, 2008 Share Posted April 24, 2008 So all they want is the DB to be on a dedicated db server, and the front end on a dedicated web server, with the DB firewalled to allow connections only from the frontend server, and some IDS and decent firewall policies? 0 Quote Link to comment Share on other sites More sharing options...
penguin Posted April 24, 2008 Share Posted April 24, 2008 We had nothing specified about what could be run on the server. Basically, you have to complete a checklist to ensure that you and your staff know how to handle client data correctly, then complete the vulnerability assessment. We used http://www.scanalert.com/, and if you read the bottom of this page it's free https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/merchant/PCICompliance-outside 0 Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.